Singapore government pledges to beef up data security after breaches

By on 02/12/2019
Prime minister Lee Hsien Loong was among those affected by a major healthcare data leak last year. (Image courtesy: russia-asean20.ru).

The Singapore government is to establish a new Data Security Office and implement a number of measures to better safeguard citizen information, following a series of serious data leaks.  

The decision to set up the new unit, which will be part of the Prime Minister’s Office, comes after a committee found that 75% of government agencies are not keeping up with existing data security legislation in at least one area.

According to GovInsider, the Public Sector Data Security Review Committee began its review into how the government handles citizen data on 31 March, in the wake of major breaches including the SingHealth leak of personal information belonging to 1.5 million healthcare patients.

Having inspected 366 systems across Singapore’s 94 public sector agencies, the committee made a number of recommendations.

The government has pledged to roll out measures that will satisfy the recommendations in 80% of its systems by the end of 2021, and the remaining 20% by end of 2030.

The recommendations include making public sector leaders accountable for putting in place a “strong organisational data security regime”; encouraging cultural change within agencies on how data is used and shared; and training all civil servants in data security.

“It is imperative that public officers move from a compliance-based system to one that aims to achieve excellence,” the report said.

Single sources of truth

It said agencies should not collect data that has already been collected by other agencies that have been identified as “single sources of truth”, and that they should set a “retention period” when data is gathered and commit to delete it on or before that date.

The committee also called for a better data incident management system, involving a standardised post-incident inquiry process carried out by a separate organisation following a breach, and said a culture of “open reporting of all types of data incidents” should be developed.  

“Data is the lifeblood of the digital economy and a digital government,” prime minister Lee Hsien Loong said in response to the committee’s report. “We need to use and share data as fully as possible to provide better public services.

“In doing so, we must also protect the security of the data and preserve the privacy of individuals, and yet not stifle digital innovation.”

Lee said the recommendations should be implemented as soon as possible and noted that three of 13 baseline technical measures announced by the committee in July – which include creating a strategy for encrypting sensitive files, and protecting highly sensitive information in a separate, strictly-controlled system – were already in place.

In addition to pledging to satisfy the committee’s recommendations, it is anticipated that the government will broaden the Personal Data Protection Act (PDPA) – for which amendments are likely to be announced next year – to encompass third-party vendors handling government data.   

Serious data breaches

The report follows five major data breaches involving Singapore government agencies over the last 18 months.

The most serious affected 1.5 million patients of SingHealth, Singapore’s largest cluster of healthcare institutions, which includes six hospitals. The institution was targeted by hackers, and information was leaked for almost a year before the breach was discovered in July 2018. Leaked data included the names and addresses of a quarter of the country’s population, and medication records for 160,000 people – including prime minister Lee, who has survived cancer twice.

Teo Chee Hean, coordinating minister for national security, who led the Public Sector Data Security Review Committee, reiterated the inevitability of breaches in the future and stressed the need for a speedy response, according to ZDNet. “While we will do our utmost to reduce the risk of data breaches, we cannot completely eliminate the threat. When such breaches do occur, we will detect them and respond quickly and effectively to limit the breach and damage,” he said.   

About Mia Hunt

Mia is a journalist and editor with a background in covering commercial property, having been market reports and supplements editor at trade title Property Week and deputy editor of Shopping Centre magazine, now known as Retail Destination. She has also undertaken freelance work for several publications including the preview magazine of international trade show, MAPIC, and TES Global (formerly the Times Educational Supplement) and has produced a white paper on energy efficiency in business for E.ON. Between 2014 and 2016, she was a member of the Revo Customer Experience Committee and an ACE Awards judge. Mia graduated from Kingston University with a first-class degree in journalism and was part of the team that produced The River newspaper, which won Publication of the Year at the Guardian Student Media Awards in 2010.

Leave a Reply

Your email address will not be published. Required fields are marked *